Home.... | log in.... | Pub my question! | Sign-up....

Java-index >> Java Enterprise System >> Java Enterprise System - General Discussion

SunOne Directory Server automount issue - PLEASE HELP!!!

I've installed Directory Server 5.2 on a solaris 9 machine with the latest patches and I've created 10 users user1-user10. I've initialized a solaris client and enabled the client to log in as a directory user. The user's home dir gets mounted automatically. I have configured my Fedora 4 client to bind to the SunOne Directory Server and do things like getent passwd user1 and su user1, but when I do a su - user1 I get:

su: warning: cannot change directory to /home/user1: No such file or directory

I have scoured the internet and found support ONLY for setting up a Fedora client to auth and automount against a SunOne Directory Server using TLS and SSL. I'm only using simple auth with crypted passwords as per my client's request. Also every example I can find on the web shows how to setup a RH/Fedora client to automount against an OpenLDAP style server and the syntax is different. Is there anybody here that can help me? I can post any information you need to troubleshoot further. I've spent a huge amount of time trying to make this work and my client has expressed his concerns. Please help me, thanks.

[1140 byte] By [hardware_man] at [2007-11-26 6:15:31]

«« Identity Manager and SAP 5.0 support?
»» Hardcoded ou=People container below BaseDN!?

# 1

I have documented how to make RHEL4 Client works with SUN ONE DS5.2 at my HOW-TO, I think it should apply also to RHFC4.

It requires an unofficial "hack" to make "cn" OPTIONAL attribute of objectclass "automount" and "ou" OPTIONAL attribute of objectclass "automountmap".

Also you must have autofs 4.1.3-114 or later for it to work, for 4.1.4-5 autofs which is provided by RHEL4, pls add a missing line "+auto.master" to the /etc/auto.master, as the FIRST line.

Note that whenever db2ldif export is used to re-import (ldif2db), IT WILL remove the unofficial "hack" to the two objectclasses, so the hack has to be re-applied again.

<a href="http://web.singnet.com.sg/~garyttt" target="_blank">http://web.singnet.com.sg/~garyttt</a>

<a href="http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20iPlan et%20Directory%20Server%20for%20Solaris9.htm" target="_blank"> http://web.singnet.com.sg/~garyttt/Installing%20and%20config uring%20iPlanet%20Directory%20Server%20for%20Solaris9.htm</a>

Installing and configuring iPlanet Directory Server for Solaris9

Step 5: Configure 齛utomount?to work with RedHat or Solaris Native LDAP Clients

Assumtions: one or more NFS Servers, eg: nfs_server and nfs_server2 have exported /home directories.

First, at the LDAP Server, modify the LDAP objects 齛utomount?and 齛utomountMap?in SUN ONE Console, to add optional attribute.

Open Directory Server, click "Configuration" tab, click "Schema", at "User Defined Object Classes":

Select "automount", click "Edit", add "cn" to "Allowed Attributes", click "OK".

Select "automountMap", click "Edit", add "ou" to "Allowed Attributes", click "OK"

Second, at the LDAP Server, create the automount maps for SUN ONE DS5.2, below is a sample, there are two sets, auto_* for Solaris Native LDAP Client and auto.* for RedHat LDAP Client.

# cat automount_sun1ds52.ldif

dn: automountMapName=auto_master,dc=example,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto_master

dn: automountkey=/home,automountMapName=auto_master,dc=example,d c=com

objectClass: top

objectClass: automount

automountKey: /home

automountInformation: auto_home -nobrowse

dn: automountkey=/-,automountMapName=auto_master,dc=example,dc=c om

objectClass: top

objectClass: automount

automountKey: /-

automountInformation: auto_direct

dn: automountMapName=auto_home,dc=example,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto_home

dn: automountkey=*,automountMapName=auto_home,dc=example,dc=com

objectClass: top

objectClass: automount

automountKey: *

automountInformation: nfs_server:/home/&

dn: automountKey=/home2,automountMapName=auto_direct,dc=example, dc=com

objectClass: top

objectClass: automount

automountKey: /home2

automountInformation: nfs_server2:/home

dn: ou=auto.master,dc=example,dc=com

objectclass: top

objectclass: automountMap

automountmapname: auto.master

ou: auto.master

dn: cn=/home,ou=auto.master,dc=example,dc=com

objectclass: top

objectclass: automount

automountinformation: ldap:ou=auto.home,dc=example,dc=com

automountkey: /home

cn: /home

dn: ou=auto.home,dc=example,dc=com

objectclass: top

objectclass: automountMap

automountmapname: auto.home

ou: auto.home

dn: cn=/,ou=auto.home,dc=example,dc=com

objectclass: top

objectclass: automount

automountinformation: nfs_server:/home/&

automountkey: /

cn: /

And add it into the DIT.

# ldapadd -c -D "cn=Directory Manager" -f automount_sun1ds52.ldif

Third, at LDAP Server, create cn=tls_automount_profile under ou=profile,dc=example,dc=com

...

Forth, at the Solaris Native LDAP Client ONLY, create corresponding ldap_client_file (and ldap_client_cred if different proxy password), and restart ldap_cachemgr and nscd.

...

(Third and Forth step are meant to setup ldap profile for Solaris Native LDAP Client in LDAP DIT, skip them if not related to your objective)

...

Fifth, create /etc/auto_master, /etc/auto_home and /etc/auto_direct for Solaris, create /etc/auto.master and /etc/auto.home for RedHat and restart autofs/automountd.

IMPORTANT NOTE 1: RedHat autofs/automountd has bug, please download and install the latest autofs rpm from Fedora Core3 download site: <a href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/au tofs-4.1.3-114.i386.rpm" target="_blank"> http://download.fedora.redhat.com/pub/fedora/linux/core/upda tes/3/i386/autofs-4.1.3-114.i386.rpm</a>

IMPORTANT NOTE 2: For RedHat autofs/automountd to work, please ensure that $ETC_OPENLDAP/ldap.conf (usually /etc/openldap.conf contains 齢ost?and 齜ase?statements for automountd to read, please note that RedHat automountd does not read /etc/ldap.conf)

Sample contents for Solaris Native LDAP Client:

# cat /etc/auto_master

# Master map for automounter

+auto_master

/net-hosts-nosuid,nobrowse

/homeauto_home-nobrowse

/xfn-xfn

/- auto_direct

# cat /etc/auto_home

# Home directory map for automounter

+auto_home

# cat /etc/auto_direct

+auto_direct

Sample contents for RedHat LDAP Client, note that RedHat does not have auto.direct.

# cat /etc/auto.master

+auto.master

/misc/etc/auto.misc

/net/etc/auto.net

IMPORTANT Note: for autofs 4.1.4-5 RPM which is provided by RHEL4, the first line "+auto.master IS MISSING, please add it)

# cat /etc/auto.home

+auto.home

# cat /etc/openldap/ldap.conf

HOSTldap1.example.com ldap2.example.com

BASE dc=example,dc=com

TLS_CACERT/etc/openldap/cert7.pem

(Read other step in my HOW-TO on how to create cert7.pem if you are using TLS)

For Solaris or RH:

# /etc/init.d/autofs stop

# /etc/init.d/autofs start

For RH:

# service autofs restart

# service autofs status

Sixth, test autofs/automount by logging in as 齯id? check 齞f 齥?to see if /home/uid is mounted, do a 齝d /home/uid2?and check again.

$ pwd

/home/uid

$ df -k

Filesystemkbytesusedavail capacity Mounted on

?br />nfs_server:/home/uid

355069743 160782087 19073695946%/home/uid

nfs_server2:/home

?28%/home2

$ cd /home/uid2

$ df -k

===============================

HTH.

Gary

GaryTay at 2007-7-6 13:54:39 >

top of Java-index,Java Enterprise System,Java Enterprise System - General Discussion...

# 2

It worked Gary, but what I had to do was re-jumpstart my sol9 server and remove all the IPLT pkgs, I know you can exclude them when you setup your jumpstart profile, but I was too lazy. I then did a fresh install of ds5.2 on the sol9 server and setup the server in a typical way without using tls and ssl. I then modified your automount ldif file with my own info. It barfed on the solaris automount stuff because I had already added the sol-automount stuff from the sol-client using the ldapaddent command, but the auto.* linux stuff copied right into the directory. I then re-started autofs on the linux client and I could su- user1 and also logout root and log back in as user1. BTW, the only 2 things I need to specify in the /etc/ldap.conf file are the host and the base. I currently have:

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

but I don't think you really need them. The solaris 9 client could still su - user1, but in order for me to log out as root and log back in as user1 I had to modify my pam.conf file.

Gary, thankyou so much for your very detailed how-to instructions on the web. They are better than anything I could find from Sun. I think Sun wants you to pay for their advice. They are going to have a celebration lunch here in honor of our success at getting this setup, please feel free to join us if you're free this week for lunch.

hardware_man at 2007-7-6 13:54:39 >

# 3

Great to hear this.I am a Singaporean living and working in Singapore, so I will definitely miss this celebration.If you ever visit Singapore, you may contact me via email.Gary

GaryTay at 2007-7-6 13:54:39 >

# 4

Thanks Gary, I will take you up on that. I hear Singapore is a beautiful country to visit.

hardware_man at 2007-7-6 13:54:39 >

# 5

Gary,

I followed your directions for getting home directories to mount on linux clients against a sun one directory server 5.2 running on solaris 9. My problem now is that my client needs to be able to do 2 things,

1. mount by group, ie.., if a person belongs to the 'switching' group, then when he logs in the nfs share filer_server:/switching will be mounted to /projects/switching or if he was in the 'ip' group, then when he logs in he would mount filer_server:/ip to /projects/ip on his local linux machine.

2. I've spent a couple of days now on this and I'm admitting that I'm at my wits end. I can get auto_master to point to auto_direct in the directory and when a user (haven't even begun to figure out the mount by group thing yet)

logs in on a Solaris machine, nfs share filer_server:/ip gets mounted to/projects/ip. I cannot for the life of me get this to work on linux though.

I have tried everything under the sun, can somebody tell me why I cannot get the direct mount piece to work with linux? Is there some autofs idiosyncrasy that I'm not aware of? Again, we're breaking new ground here obviously

because I cannot find anything on google about this. I will send along anyserver config data that anyone needs to help me answer this one if you request it, thanks.

output on my local linux box when I su to user1 (a user that exists on the directory server:

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> ~]# /etc/init.d/autofs status

Configured Mount Points:

/usr/sbin/automount --timeout=60 /homes ldap ou=auto.home,dc=sprintlabs,dc=com

/usr/sbin/automount --timeout=60 /projects/ip ldap ou=auto.misc,dc=sprintlabs,dc=com

Active Mount Points:

/usr/sbin/automount --timeout=60 /homes ldap ou=auto.home,dc=sprintlabs,dc=com

/usr/sbin/automount --timeout=60 /projects/ip ldap ou=auto.misc,dc=sprintlabs,dc=com

but when I go to /projects/ip I am not really in filer_server:/ip.

dn: automountMapName=auto_home,dc=sprintlabs,dc=com

objectClass: automountMap

objectClass: top

automountMapName: auto_home

dn: automountKey=*,automountMapName=auto_home,dc=sprintlabs,dc=c om

objectClass: automount

objectClass: top

automountKey: *

automountInformation: 172.25.235.227:/home/&

dn: automountMapName=auto_master,dc=sprintlabs,dc=com

objectClass: automountMap

objectClass: top

automountMapName: auto_master

dn: automountKey=/net,automountMapName=auto_master,dc=sprintlabs ,dc=com

objectClass: automount

objectClass: top

automountKey: /net

automountInformation: -hosts -nosuid,nobrowse

dn: automountKey=/homes,automountMapName=auto_master,dc=sprintla bs,dc=com

objectClass: automount

objectClass: top

automountKey: /homes

automountInformation: auto_home -nobrowse

dn: automountKey=/xfn,automountMapName=auto_master,dc=sprintlabs ,dc=com

objectClass: automount

objectClass: top

automountKey: /xfn

automountInformation: -xfn

dn: automountKey=/-,automountMapName=auto_master,dc=sprintlabs,d c=com

objectClass: automount

objectClass: top

automountKey: /-

automountInformation: auto_direct -nobrowse

dn: automountMapName=auto_direct,dc=sprintlabs,dc=com

objectClass: automountMap

objectClass: top

automountMapName: auto_direct

dn: automountKey=/projects/ip,automountMapName=auto_direct,dc=sp rintlabs,dc=com

objectClass: automount

objectClass: top

automountKey: /projects/ip

automountInformation: -ro,soft 199.2.53.226:/ip

dn: ou=auto.master,dc=sprintlabs,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto.master

ou: auto.master

dn: cn=/homes,ou=auto.master,dc=sprintlabs,dc=com

objectClass: top

objectClass: automount

automountInformation: ldap:ou=auto.home,dc=sprintlabs,dc=com

automountKey: /homes

cn: /homes

dn: cn=/projects/ip,ou=auto.master,dc=sprintlabs,dc=com

objectClass: top

objectClass: automount

automountInformation: ldap:ou=auto.misc,dc=sprintlabs,dc=com

automountKey: /projects/ip

cn: /projects/ip

dn: ou=auto.home,dc=sprintlabs,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto.home

ou: auto.home

dn: ou=auto.misc,dc=sprintlabs,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto.misc

ou: auto.misc

dn: cn=/,ou=auto.home,dc=sprintlabs,dc=com

objectClass: top

objectClass: automount

automountInformation: 172.25.235.227:/home/&

automountKey: /

cn: /

dn: cn=/,ou=auto.misc,dc=sprintlabs,dc=com

objectClass: top

objectClass: automount

automountInformation: 199.2.53.226:/ip

automountKey: /

cn: /

As I said before the direct mounting of the filer's share 'ip' gets mounted to /projects/ip on the solaris machine but not on the linux machine.

hardware_man at 2007-7-6 13:54:39 >

# 6

I can't solve your problem #2, I can solve your problem #1 by:

On DS5.2 LDAP Server, ldapadd this ldif file:

dn: cn=/projects,ou=auto.master,dc=sprintlabs,dc=com

objectclass: top

objectclass: automount

automountinformation: ldap:ou=auto.projects,dc=sprintlabs,dc=com

automountkey: /projects

cn: /projects

dn: ou=auto.projects,dc=sprintlabs,dc=com

objectclass: top

objectclass: automountMap

automountmapname: auto.projects

ou: auto.projects

dn: cn=/,ou=auto.projects,dc=sprintlabs,dc=com

objectclass: top

objectclass: automount

automountinformation: 199.2.53.226:/projects/&

automountkey: /

cn: /

On RHEL4 LDAP Client

# mkdir /projects

unmount all mounted autofs and "service autofs restart"

# cd /projects

# cd ip

# df -k

199.2.53.226::/projects/ip

16158081440864126464 92% /projects/ip

Gary

GaryTay at 2007-7-6 13:54:39 >

# 7

Gary thanks,

It worked, but there is no 'projects' share on the filer, there's only an 'ip' share and a 'switching' share and an 'iog' share etc... so what I had to do was change the ldif file a little. I made the automountKey '/projects/ip', but left the cn as /projects because I think having the second slash in a cn name may be illegal, I may be wrong about that. Then I changed the name of the filer from the ip address to the dns name because I noticed that I couldn't manually mount anything from that filer on my linux client using the ip address. And finally I changed the name of the share after the dns name to match the real share on the filer, i.e..., dns.name.com:/ip. Again you come through for me Gary, thanks a lot. I'll share my solution with you when I figure out how to mount by group.

hardware_man at 2007-7-6 13:54:39 >

# 8

Hi Gary,

As I said, the automount mechanism works, but I have discovered a flaw. The filer that's hosting the nfs shares has an older version of ontap and we'll be updating it this Friday, but my Linux client has problems with the nfs shares on that filer. Here's some output:

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> etc]# cd /projects

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> projects]# ls -la

total 8

drwxr-xr-x2 root root0 Dec 14 17:02 .

drwxr-xr-x 26 root root 4096 Dec 14 16:47 ..

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> projects]# su - bills

-bash-3.00$ cd /projects

-bash-3.00$ ls -la

total 8

drwxr-xr-x2 root root0 Dec 14 17:02 .

drwxr-xr-x 26 root root 4096 Dec 14 16:47 ..

-bash-3.00$ cd ip

-bash: cd: ip: Permission denied

-bash-3.00$ ls -la

total 16

drwxr-xr-x3 root root0 Dec 14 17:13 .

drwxr-xr-x 26 root root 4096 Dec 14 16:47 ..

drwxrws 30 root 10001 8192 Aug 1 18:22 ip

-bash-3.00$ cd iog

-bash: cd: iog: Permission denied

-bash-3.00$ ls -la

total 24

drwxr-xr-x4 root root0 Dec 14 17:13 .

drwxr-xr-x 26 root root 4096 Dec 14 16:47 ..

drwxrws 30 root 10001 8192 Aug 1 18:22 iog

drwxrws 30 root 10001 8192 Aug 1 18:22 ip

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> projects]# service autofs status

Configured Mount Points:

/usr/sbin/automount --timeout=60 /homes ldap ou=auto.home,dc=sprintlabs,dc=com

/usr/sbin/automount --timeout=60 /projects ldap ou=auto.projects,dc=sprintlabs,dc=com

Active Mount Points:

/usr/sbin/automount --timeout=60 /homes ldap ou=auto.home,dc=sprintlabs,dc=com

/usr/sbin/automount --timeout=60 /projects ldap ou=auto.projects,dc=sprintlabs,dc=com

As you can see, autofs is somehow mounting the shares on the linux machine but they are invisible until the user tries to cd into them, and then they are not the ownership that exists on the filer. BTW on my solaris client the folders iog and ip mount under the local folder /projects and you can see them up front. You can also go into those folders as expected. Now the funny thing is, if I use another newer filer with ldap enabled on it, the linux client is happy and the behaviour for the mounted nfs shares is normal.

What's really weird is that there are no groups that I can find that have that gid 10001 and notice how the sticky bit is set in the inode table. Please help me Gary, thanks.

P.S. Gary, I thought of one more thing, do you know why if I uncomment the line #rootbinddn "cn=Directory Manager" then I cannot bind to the ldap server? I have a file in /etc called ldap.secret with the Directory Manager password, but I just typed it in there plain text. Was I supposed to get the crypted version of that password and put that in there? Thanks Gary.

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> projects]# cat /etc/ldap.conf

host ldap-test.sprintlabs.com

base dc=sprintlabs,dc=com

ldap_version 3

binddn cn=proxyagent,ou=profile,dc=sprintlabs,dc=com

bindpw proxy

#rootbinddn "cn=Directory Manager"

port 389

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberUid

pam_password crypt

nss_base_passwd ou=people,dc=sprintlabs,dc=com?one

nss_base_shadow ou=people,dc=sprintlabs,dc=com?one

nss_base_group ou=group,dc=sprintlabs,dc=com?one

nss_base_netgroupou=netgroup,dc=sprintlabs,dc=com?one

#ssl start_tls

#tls_checkpeer yes

#tls_cacertfile /etc/openldap/cert7.pem

#tls_cacertdir /etc/openldap/cacerts

ssl no

P.S.S. Here's some output from /var/log/messages when I'm binding and attempting to mount those folders:

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> etc]# tail -f /var/log/messages

Dec 14 16:44:24 lin-client automount[3672]: lookup(ldap): got answer, but no first entry for (&(objectclass=automount)(cn=ip))

Dec 14 16:44:24 lin-client automount[3672]: lookup(ldap): got answer, but no first entry for (&(objectclass=nisObject)(cn=/))

Dec 14 16:49:26 lin-client su(pam_unix)[3738]: session opened for user bills by (uid=0)

Dec 14 16:49:26 lin-client automount[3740]: lookup(ldap): got answer, but no first entry for (&(objectclass=nisObject)(cn=bills))

Dec 14 16:49:26 lin-client automount[3740]: lookup(ldap): got answer, but no first entry for (&(objectclass=automount)(cn=bills))

Dec 14 16:49:26 lin-client automount[3740]: lookup(ldap): got answer, but no first entry for (&(objectclass=nisObject)(cn=/))

Dec 14 16:49:39 lin-client automount[3768]: lookup(ldap): got answer, but no first entry for (&(objectclass=nisObject)(cn=ip))

Dec 14 16:49:39 lin-client automount[3768]: lookup(ldap): got answer, but no first entry for (&(objectclass=automount)(cn=ip))

Dec 14 16:49:39 lin-client automount[3768]: lookup(ldap): got answer, but no first entry for (&(objectclass=nisObject)(cn=/))

Dec 14 16:49:53 lin-client su(pam_unix)[3636]: session closed for user bills

attached is a snoop output taken on lin-client and ldap-test (my linux ldap client and my solaris ldap server). At the time of the snoop I was authenticating and trying to mount ip and iog to /projects.

hardware_man at 2007-7-6 13:54:39 >

# 9

I tested using standard Solaris8 NFS file server, so you got it worked on newer Filer (NetApp?) with LDAP support.

You wrote:

===

What's really weird is that there are no groups that I can find that have that gid 10001 and notice how the sticky bit is set in the inode table. Please help me Gary, thanks.

===

1) There is this sample ou=Groups created duing DS5.2 install if you chosed to "populate it with sample data", this ou is usually not used, and you should have created another ou=group and ldapadd some group data into LDAP DIT, with that you should explicity define SSD for ou=group in LDAP DIT and ldap_client_file, something like:

NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one

A sample group.ldif with only one entry is shown here

dn: cn=Users,ou=group,dc=example,dc=com

cn: Users

gidNumber: 102

objectClass: top

objectClass: posixGroup

memberUid: gtay

memberUid: tuser

2) Simply remove /etc/ldap/secret, you don't need this file at all, having it is a security risk. For DS5.2 all name service db lookup should bind as the proxy credentials initially, the access/errors log should show the binding details.

3) If you add a user in admin console GUI, to make it compatible with LDAP name service, you have to enable posixAccount (so that you could enter uid and posixGroup ID) as well as use "Edit with generic editor" to add "shadowAccount" objectClass, otherwise it won't be very happy working with LDAP name services.

Gary

GaryTay at 2007-7-6 13:54:40 >

# 10

You're right Gary, it was a group thing. NIS is running on that older filer and enforcing groups and it didn't know my ldap groups. I had to change the gid of the ldap users to get it to work. What's funny though is that the shares are invisible until you cd into them. Can't figure that one out yet. BTW I was wrong above when I was saying that I had to create a local mount point on the linux machine called /projects/ip and change the automountKey to /projects/ip, I only had to make them both projects and then share /ip from the filer to /projects on the local linux machine to get it to work. Now if I could just make the shares visible on the local machine. BTW I was wrong about there being no group with the gid of 10001, there is one and it's the group on the folder I was trying to mount locally but couldn't. It's a NIS group, maybe I have to turn off NIS on the linux machine?

hardware_man at 2007-7-6 13:54:40 >

# 11

Gary,

Remember how I said that when I went su - ldapuser on my fc4 machine I could cd into the folders that were being automounted from a filer to a local mount point /projects, but I could not see the folders by doing an ls -la in the /projects folder? Well after fiddling around for hours I finally figured out what it was. I knew that my home dir was mounting fine so I looked back at your instructions and noticed how you say there should be an /etc/auto.home dir with +auto.home in it. Well I didn't have an /etc/auto.projects folder so what I did is create one and put +auto.projects in it and then I had to unmount everything and restart autofs to get it to work and now when I su to an ldap user and go to /projects I see:

(lin-client-bills) [15:03:32] /projects$ ls -la

total 8

drwxr-xr-x7 root root0 Dec 15 15:03 .

drwxr-xr-x 26 root root 4096 Dec 14 17:40 ..

dr-xr-xr-x2 root root0 Dec 15 15:03 adl

dr-xr-xr-x2 root root0 Dec 15 15:02 iog

dr-xr-xr-x2 root root0 Dec 15 15:02 ip

dr-xr-xr-x2 root root0 Dec 15 15:02 otg

dr-xr-xr-x2 root root0 Dec 15 15:02 videoip

Thanks again so much Gary for all of your help, you da man!!!!

hardware_man at 2007-7-6 13:54:40 >

# 12

Gary,

I opologize. I was wrong again. To solve the "invisible" folder problem when mounting those remote shares to my local linux machine was to go into /etc/profile and add:

cd /projects/ip

cd /projects/iog

cd /projects/otg

cd /projects/videoip

cd /projects/adl

this /etc/profile I see is the standard profile for someone that the admin gives a bash shell to in the ldap passwd file. It's the only work around I can think of for now but it works.

hardware_man at 2007-7-6 13:54:40 >

# 13

Congras, you are really a hands-on guy who worked thru. all these.

The "+auto.home" and "+auto.projects" are really OPTIONAL, and if "automount files ldap" appears in /etc/nsswitch.conf" and "+auto.projects" appears as 1st line in /etc/auto.projects, it points back to NIS or LDAP maps.

They exist in case you need to OVERRIDE NIS/LDAP automount maps with local files settings, I think. However if you FILER is happy with it, do let it be.

Many are still not used to the "Invisible directories" behaviour of autofs/automount, the key (ip) and the mountpoint (/projects) will be AUTO mounted AS AND WHEN they are accessed using file system access command like "ls -ald" or "cd".

# umount /projects/ip

# df -k

Filesystem1K-blocksUsed Available Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

928908041419804675244 47% /

/dev/hda1101086903186836 10% /boot

none 95644 0956440% /dev/shm

# ls -ald /projects/ip

drwxr-xr-x 2 root root 512 Dec 14 17:28 /projects/ip

# ls -al /projects/ip

total 1

drwxr-xr-x 2 root root 512 Dec 16 11:25 .

drwxr-xr-x 3 root root0 Dec 16 11:24 ..

-rw-r--r-- 1 root root0 Dec 16 11:25 testfile

# cd /projects/ip

# ls -alrt

total 1

drwxr-xr-x 3 root root0 Dec 16 11:24 ..

-rw-r--r-- 1 root root0 Dec 16 11:25 testfile

drwxr-xr-x 2 root root 512 Dec 16 11:25 .

# df -k

Filesystem1K-blocksUsed Available Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

928908041419804675244 47% /

/dev/hda1101086903186836 10% /boot

none 95644 0956440% /dev/shm

nfs_server:/projects/ip

16158081442560124768 93% /projects/ip

Gary

GaryTay at 2007-7-6 13:54:40 >

# 14

Read these for more info on RHEL/FC client.# man -s 5 autofs# man -s 8 autofs# man -s 8 automount# man -s 5 auto.masterGary

GaryTay at 2007-7-6 13:54:40 >

# 15

Your wrote:

===

To solve the "invisible" folder problem when mounting those remote shares to my local linux machine was to go into /etc/profile and add:

cd /projects/ip

cd /projects/iog

cd /projects/otg

cd /projects/videoip

cd /projects/adl

===

You don't have to do so, it is useless, I think autofs will TIMED OUT after certain period of no access activities and these /mountpoint/keys get invisible again.

Or if there is reason to do so, then you probably need a regular cron job of "cd ..." to keep them as visible.

I may be wrong, anyone pls correct if I am.

Gary

GaryTay at 2007-7-21 15:00:37 >

# 16

Gary,

My customer doesn't want to do the wild card solution, i.e...,

automountKey: /projects

and

automountInformation: 199.2.53.226:/tools/&

and then on the filer tools looks like:

lrwxrwxrwx1 root bin6 Dec 19 11:16 iog -> ../iog

lrwxrwxrwx1 root bin5 Dec 19 11:16 ip -> ../ip

lrwxrwxrwx1 root bin6 Dec 19 11:16 otg -> ../otg

lrwxrwxrwx1 root bin10 Dec 19 11:16 videoip -> ../videoip

(This way you don't use the wild card on the root of the filer and end up sharing /etc and stuff like that.)

"&" being the "wild card" I'm speaking of. He wants to directly mount

each and every folder under the filer's root "/" dir (iog, otg, videoip,

ip, and adl) to the automountKey "/projects". I've changed up the

information in the directory a thousand different ways and have had no

luck in accomplishing this.

The reason for my client's insistence on having each folder under the

root directly mounted that way is because those folders are actually

"Q-Trees" which is a NetApp term that means you can set quotas and blah, blah, blah on them. My best solution was to create a folder called

"/tools" and put sim links in it that pointed back to the folders under

the root using relative path names, i.e..., ln -s ../adl adl.

If I directly mounted all the filer shares to the same folder /projects

I ended up going into each of the folders and seeing the same thing that

was in the ip folder. So in other words when you populate the directory

with the auto.master and auto.projects stuff, the first one to grab

the /projects folder reigns supreme.

He said an acceptable solution would be to just mount ip to /projects

and all the others could be mounted to root, i.e..., /adl, /otg, /videoip, etc... That worked to a point, but all the folders ended up being mounted to folders with their own names, i.e..., /adl/adl, and /otg/otg, etc....

He then said that the most important thing is just to directly mount ip

to /projects and I did and it seems to work, but I just discovered this

morning that if you go into /projects on the client and you type "cd

<any folder name>, i.e.., cd /projects/tokyo, you will go into that

folder and the same files that are in ip will be in that new mystery

folder.

Can anybody help me do what my customer really wants, i.e..., directly

mount ip, otg, videoip, etc... to /projects without using a wildcard in

the automountKey?

hardware_man at 2007-7-21 15:00:37 >

# 17

Read the man pages I mentioned in previous reply.

Try to run "automount" manually with "-d" debug mode and observe for more clues.

Eg:

# /usr/sbin/automount -d --timeout=60 /projects ldap ou=auto.projects,dc=example,dc=com

As I don't understand your client requirement, I have no further comment.

Gary

GaryTay at 2007-7-21 15:00:37 >

# 18

Gary, forget the automount stuff. I spent way too much time on that and in the end they decided that linux developers will mount their own remote nfs shares via the fstab file on their linux production machines. Eventually I'd like to create a web page with clear and concise directions on how to do heiarchical mounting with autofs on linux, until this project is over I'll have to accept the fact that there is not enough support currently available out there for me to do what I want.

Gary, if I follow your directions exactly as you've layed them out for using tls and ssl self signed certificates between the sun ds5.2 server and the linux client, it doesn't work. The best I can do is run the showcerts command on the linux client and it'll do a handshake with the server, but if I try to go "id tuser" it doesn't work, so in other words I cannot bind to the ldap server via tls because the cert that I copied over from the server appears to belong to the server and not the local client. Take my word for it, I did everything exactly as you've outlined on your web page. The only difference being that I've got a newer version of ssl installed on my sun ldap server. Here is my configuration:

******Server*******

ssl version openssl0.9.8a

<a href="mailto:root@ldap-test" target="_blank">root@ldap-test</a>:/var/Sun/mps/alias 181% ls -la

total 1178

drwxr-x4 rootother512 Jan 4 10:49 .

drwxr-xr-x 19 rootother512 Dec 30 15:18 ..

-rw-1 rootother65536 Dec 30 15:19 admin-serv-ldap-test-cert8.db

-rw-1 rootother32768 Dec 30 15:19 admin-serv-ldap-test-key3.db

drwxr-xr-x2 rootother512 Jan 3 11:05 backup_Tue

drwxr-xr-x2 rootother512 Jan 4 10:47 backup_Wed

-rwxr-xr-x1 rootother401748 Dec 30 15:17 libnssckbi.so

-rw-1 rootother32768 Dec 30 15:19 secmod.db

-rw-1 rootother65536 Jan 4 10:49 slapd-ldap-test-cert8.db

-rw-1 rootother32768 Jan 4 10:49 slapd-ldap-test-key3.db

-r--1 rootother 36 Jan 3 11:23 slapd-ldap-test-pin.txt

<a href="mailto:root@ldap-test" target="_blank">root@ldap-test</a>:/var/Sun/mps 167% /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts

CONNECTED(00000003)

depth=0/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-test.sprin tlabs.com

verify error:num=18:self signed certificate

verify return:1

depth=0/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-test.sprin tlabs.com

verify return:1

Certificate chain

0s:/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-test.spr intlabs.com

i:/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-test.spr intlabs.com

--BEGIN CERTIFICATE--

MIICaDCCAdGgAwIBAgIFAIExm0gwDQYJKoZIhvcNAQEEBQAwazELMAkGA1UE BhMC

VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCkJ1cmxpbmdhbWUx DzAN

BgNVBAoTBlNwcmludDEhMB8GA1UEAxMYbGRhcC10ZXN0LnNwcmludGxhYnMu Y29t

MB4XDTA2MDEwNDE4NDg0OFoXDTA3MDQwNDE4NDg0OFowazELMAkGA1UEBhMC VVMx

EzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCkJ1cmxpbmdhbWUxDzAN BgNV

BAoTBlNwcmludDEhMB8GA1UEAxMYbGRhcC10ZXN0LnNwcmludGxhYnMuY29t MIGf

MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWRms6XqWmAqJbNouTD25yVdTW NDRu

kf38rgqyAZApcp7w2wnhNRBBVUtHPebHJZCWr9BlouaawUnEfv8SjGoz4fht A9mV

u3yx+VjDKiZNrUvuUlaz6LevMnTicyycQ7nA1C4734Mw/siZymCye+0ogE2h WFOQ

vDkJ9RbW2+sqXQIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBkAwDQYJ KoZI

hvcNAQEEBQADgYEAZ+SnLHhsZ5Y7v4oG3u1PojYVG7Y/YAHvAKkJ1aUQKPOO bdSo

J3/J4nul2nqMvRXv60K5tScXCCEBHIN0L7mPaG3C9A6ZWjVzljqvgFZ43ZAS PuP4

mj5/XkqZxP2RAoITgGHFR+bRNfXDF4n4ToipSe9VbncRmWD5lCXKoVemt3U=

--END CERTIFICATE--

Server certificate

subject=/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-te st.sprintlabs.com

issuer=/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-tes t.sprintlabs.com

Acceptable client certificate CA names

/C=US/ST=California/L=Burlingame/O=Sprint/CN=ldap-test.sprin tlabs.com

SSL handshake has read 876 bytes and written 342 bytes

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher: RC4-MD5

Session-ID:15FDD6C6CB13C4E052F7DD6EB6659B7477BDAC570CEE09F212A3913A8EFC D9D2Session-ID-ctx:

Master-Key:7363E25B9D0BF0BD68BF494AA1CEC30766894C7E679F236BD5B7EB27302C 60E0B00C3E4186D88230A2F221D662A8C8C5

Key-Arg: None

Start Time: 1136400789

Timeout: 300 (sec)

Verify return code: 18 (self signed certificate)

closed

******linux client******

<a href="mailto:[root@lin-client" target="_blank">[root@lin-client</a> ~]# openssl s_client -connect ldap-test.sprintlabs.com:636 -showcerts